Cryptography in Canada

Abstract:

This report examines the science of cryptography in Canada. A brief
history of the use of cryptography in Canada is given, along with a
description of what how cryptography works and what makes it
important to Canada. The focus of this report is the Canadian
Government's involvement with cryptography, including its
cryptography policies and uses. A short exploration of interesting
cryptographic research is also given, and we end with some questions
about the use of cryptography and how to best implement cryptography
policies.

Introduction

Cryptography is becoming more important in Canada, not only in the
classical sense of national security, but also in the relatively new
electronic commerce arena, and in commerce in general. Cryptography is
used everyday. Every time you use a bank machine, or log into the
University of Calgary's Infonet, you are using cryptography and not
even knowing it. But as the importance of cryptographic technology grows,
concerns over how to legislate and control cryptography are pitting
privacy, civil rights, and commerce concerns against law enforcement
and national security interests.

In World War II, the importance of cryptography suddenly became
apparent. Allied forces called on the best mathematical minds of the
time, some of whom were Canadian, to break the German and Japanese
codes that kept those countries communications shrouded in secrecy
(Granatstein, Stafford, 1990). After the war, the importance of
gathering signals intelligence (SIGINT) and making sense of it did not
wane; indeed, it became fundamentally important to the national
security of many nations as the Cold War picked up. As the Cold War
ended, security agencies began to focus on the terrorist threat, and
were particularly concerned with the free availability of encryption
technologies such as Pretty Good Privacy (PGP) (Levy, 2001) that can
foil the best minds and the fastest computers. During the 1980's,
developments in networking and communications for military purposes,
such as ARPAnet, began to reach a more general audience. With the
invention of hypertext by Tim Berners-Lee in 1991, electronic commerce
became a economic force of its own. The rise of e-commerce during the
late 1990's made cryptography increasingly important.

The invention of hypertext and the resulting ubiquity of the world
wide web required encryption if sensitive information such as credit
card numbers and business data was to be passed over the network in
the process of conducting electronic commerce. Symmetrical
cryptography, where the same key is used to encode and decode the
message, would never work. There is simply no secure way to pass the
keys between parties. This is especially true when there are a large
number of parties involved, as in a modern commerce system (Levy,
2001). The innovation that made electronic commerce possible was the
invention of public key cryptography, which is usually attributed to
Whitfield Diffie and Marty Hellman (Levy, 2001).

To analyze the current state of cryptography in Canada, we will first
look at Canada's part involvement with the science of cryptography. To
facilitate our exploration of cryptography, we will examine the
technologies and techniques involved to gain an understanding of how
they work. We will then examine current users and producers of
cryptographic technology and look at the research currently being
conducted to get a sense of the current state of cryptography in
Canada.

Cases examined in this report are primarily focused on Government
departmental projects which involve cryptography. Most of these
projects enable secure communications within the department or between
the department and citizens that need to interact with that
department.

This report makes use of a range of sources, but it relies
heavily on web based information published mostly by the Government of
Canada (GoC). Several books were also consulted, which were relied upon
mostly to provide technical and historical details.

History of Canadian cryptography

The Communications Security Establishment (CSE), Canada's equivalent
of the United States' National Security Agency (NSA), was founded as
the Examination Unit, a branch of the National Research Council, in
1941. Its role during the Second World War was to help with the Allied
Signals Intelligence (SIGINT) effort. In the early part of the war,
the Examination Unit was particularly focused on the messages of
Abwehr (German Intelligence) agents operating in South America. Oliver
Strachey, a British expert in Abwehr codes, was imported to help get
the Examination Unit started. By 1943, Abwehr intelligence was
becoming less important, and was dropped as the Examination Unit
focused its efforts on Japanese signals. Vichy French messages in
Indo-China were soon added to the Examination Unit's target list. By
the end of 1942, the volume of information being intercepted related
to the Pacific theater became so great that a separate unit within the
Examination Unit was established to handle it (Granatstein and
Stafford, 1990).

After the end of the war, the future of Allied intelligence services
was up in the air. Some saw no place for continued intelligence
operations. This attitude somewhat mirrored that present after the
First World War, when Henry Stimson reportedly said that ``gentlemen
do not read each other's mail'' (qtd in Granatstein and Stafford,
1990). While other intelligence agencies went out of business, SIGINT
operations were allowed to continue. President Truman blessed
continued American SIGINT operations in September of 1945, and a meeting of
diplomats and External Affairs officials on New Year's Eve secured the
Examination Unit's place in the Allied intelligence community
(Granatstein and Stafford, 1990).

Sometime after December of 1945, the Examination Unit was renamed as
the Communications Branch of the NRC. SIGINT operations continued, as
did collaboration with the United States and other Allies (Library of
Parliament, 1994).

1947 brought the UK/USA Security Agreement, in which Canada, New
Zealand and Australia were assigned secondary roles. They were to
provide raw signals intelligence to the primary partners, the United
States and the United Kingdom. Canada also signed a separate bilateral
agreement with the United States in 1948 (Library of Parliament,
1994).

On April 1st, 1975, responsibility for Canada's newly renamed SIGINT
unit was transfered by an Order in Council under the Public Service
rearrangement and transfer of Duties Act from the National Research
Council to the Department of National Defense. The SIGINT unit was now
known as the Communications Security Establishment (CSE) (Library of
Parliament, 1990).

As of 1990, the CSE had two primary roles. One was to perform signals
intelligence (SIGINT), which is the interception and decoding of
foreign transmissions, and the other was to provide information
security (INFOSEC) to the Canadian government (Granatstein, Stafford,
1990).

Public sector use of cryptography has been explored since 1993, when
the Communications Security Establishment lead an initiative to
develop a Public Key Infrastructure (PKI). With the support of department
partners, a contract with the Secure Networks arm of Bell Northern
Research was signed to develop the PKI. In 1995, one of the
working groups of the Information Technology Security Strategy
Committee of the Council for Administrative Renewal designed a
business case outlining the need for encryption and digital signature
capability, leading to approval for the first stage of development of
the GoC PKI (GoC PKI, 2000).

In May of 1996, the Government responded to the 1995 report of the
Information Highway Advisory Committee, by recognizing concerns about
privacy, security, legal validity, and authentication. The Government
also reaffirmed its commitment to information technology, and assigned
the Minister of Industry to work with other stakeholders to ensure
various electronic systems were able to work together (GoC PKI, 2000).

Digital signature technology was recognized as being of fundamental
importance to the Governments electronic programs in the Electronic
Authorization and Authentication (EAA) Policy in July of
1996. December of 1997 saw the creation of the Electronic Commerce
Task Force, and the Treasury Board of Canada Secretariat's report on
Plans and Priorities for 1998-99 identified a secure environment for
electronic service delivery as the most important infrastructure
priority (GoC PKI, 2000).

An Interdepartmental Task Force was established in April of 1998 to
support and co-ordinate the implementation of the Government of Canada
Public Key Infrastructure. In December of the same year, the GoC PKI
Policies document was published (GoC PKI, 2000).

In May of 1999, the GoC PKI Task Force was renamed to the GoC PKI
Secretariat, and the Policy for PKI Management in the GoC was approved
by Treasury Board Ministers (GoC PKI, 2000).

Canada's public key infrastructure is now in use in a number of
Government of Canada departments (GoC PKI, 2000).

Brief History

The great breakthrough that really made it possible to secure
communications was the development of the public key system, which is
generally thought to have been invented by Diffie and Hellman of
Stanford in 1975. Public key cryptography had actually been thought up
ten years earlier, by a man named James Ellis, who was working for the
British General Communication Headquarters (GCHQ); the British sister
agency to the CSE in Canada and the NSA in the United States. The GCHQ
didn't see any reason to pursue Ellis' idea; after all, the
symmetrical cryptography they were using was proven and any change
could introduce holes that might put sensitive information at risk
(Levy, 2001).

Although Diffie and Hellman explored where no one in the cryptography
world had ever thought to explore before, and had come up with the
idea of public key cryptography, they didn't have any actual tools to
make it work. That's where Rivist, Shamir, and Adleman of MIT came
in. In 1977, the three mathematicians were able to conjure up an
algorithm that made public key cryptography a reality (Levy, 2001).

Why public key cryptography?

The problem with conventional symmetric cryptography is that the two
parties must have a method of exchanging a key. If the key is
intercepted by an enemy party, a credit card thief for example, the
whole transacting is compromised. If electronic commerce had to depend
completely on symmetrical encryption, it would be impractical to
secure anything, especially in a way that was transparent to the end
user. Each electronic exchange of encrypted material would require a
corresponding secure key exchange, meaning not through any method
where the key could potentially be intercepted. The necessity of this
key exchange which would eliminate any convenience gained from the use
of an electronic information exchange in the first place. The solution
to this problem is public key cryptography.

How public key cryptography works

The public key system conceived by Diffie and Hellman relies on pairs
of keys; one private key, known only to the person who owns it, and
one public key, which anybody can see and use. When one party, say
Alice, wants to communicate securely with another party, say Bob, Alice
can take Bob's public key and use it to encrypt the message, which can
then only be decrypted with Bob's private key. If Bob hasn't given anyone
his private key, and assuming that subversive elements haven't been
able to steal it, only Bob will be able to decrypt the message that
Alice sent to him.

The problem with this system is knowing for sure that the public key
being used to encrypt the message is really Bob's. If a third party,
say Eve, was to somehow replace Bob's public key with her own, and
Alice then used that subverted public key to encode a message to Bob,
Eve could intercept the message, decrypt it and read it, and then
re-encrypt it with Bob's real public key, and send it on to Bob. In
this manner, Eve would be able to intercept communications from
Alice to Bob, and Alice and Bob would never even know. So the
question becomes thus: how can Alice be sure that Bob's public key is
really Bob's public key?

The importance of public key infrastructure

The answer to this question in the public key infrastructure
(PKI). A PKI is a system which uses a side-effect of public key
cryptography, the ability to create digital signatures, to guarantee the
validity of a public key. If Bob were to use a PKI, he could go to his
local Certificate Authority (CA), present his identification, and
give the CA a copy of his public key directly. Alternatively, the CA
could generate a key pair for Bob, and give Bob the private key, but
this might allow the CA save a copy of Bob's private key and use it to
decrypt any messages sent to Bob or forge digital signatures in his
name. Once the CA had Bob's public key, they would digitally sign it
using their own private key and publish it on a website or in various
directories. Anyone who trusted that Certificate Authority could
download Bob's key from the CA and verify the CA's signature on the
key, and could then be confident that the key had not been tampered
with (``GoC PKI Initiative'', 1998).

There are decentralized variations on this idea, which don't require a
central Certificate Authority. A web-of-trust may be built up by
individuals signing each other's keys, rather than a single CA signing
all of the keys. In a web-of-trust, Alice and Bob can meet face to
face and exchange keys on disk, or they can send them by email and
verify them by reading hashes of the keys over the telephone. Once
Alice is absolutely sure she has Bob's correct public key, she can
digitally sign it using her private key. Now if a third party,
Charlie, wants to send something to Bob, but can't directly verify
Bob's public key, he can look at it and see that it has Alice's
signature on it. Since he knows that he can trust Alice not to sign
someone's key without verifying that person's identity, he can be
confident that Bob's public key has not been tampered with. Charlie
can now add his own digital signature to Bob's public key, and now
other people who trust Charlie can trust Bob's public key too (``The GNU
Privacy Handbook'', 1999).

Although web-of-trust arrangements work well on small scales, they
would be impractical when used in the context of a large economy.
While the web-of-trust system works well for small groups of people
who don't want to place trust in a centralized authority, PKI systems
work well for large groups of people who don't know each other and are
willing to trust a centralized authority. The Government of Canada has
recognized the importance of a large scale PKI system to ensure the
security of its communications, and now has a full scale PKI system in
place (``GoC PKI Initiative'', 2001).

Government of Canada Cryptography Use

Public Key Infrastructure

The Government of Canada Public Key Infrastructure has three main
goals. The first is to help the government conduct business
electronically as much as possible (e-government). The second is to
facilitate the growth of electronic commerce, both within Canada and
internationally. The last goal is to help make Canada the most wired
nation in the world (``GoC PKI Initiative'', 2001).

A number of departments within the government are now using or
planning to use the public key infrastructure. Departments which have
programs using the PKI include Industry Canada, the National Energy
Board, Human Resources Development Canada, Statistics Canada, the bank
of Canada, and Government Telecommunications and Informatics Services,
among others (``Pathfinder Profiles'', 2000).

The Canada Customs and Revenue Agency (CCRA) has started to use the
Government of Canada's public key infrastructure (PKI) programs in some
of its projects. It also has other projects that don't directly make
use the PKI, but use cryptography to protect communications between
ordinary Canadians and the department.

Customs Internet Gateway

The most developed program at this point is the
Customs Internet Gateway (CIG), which is a system which gives CCRA
trading partners the ability to transmit sensitive data such as entry,
release, and accounting information over the Internet. The system is
designed to reduce the costs of using older CCRA electronic
technologies that relied on dedicated networks. (``Customs Gateway'', 2000)

NETFILE is the system put in place by the Canada Customer and Revenue
Agency to give Canadian citizens the ability to file their income tax
returns over the Internet. It began in November of 1999 as a pilot
project. The NETFILE project was on time, came in under budget, and
was able to process returns in about 2 seconds, which is much faster
than what the CCRA had expected. The pilot project invited 3.8 million
Canadians to participate, of which about 380,000 were expected to
participate. In fact, 443,654 1999 tax returns were filed using
NETFILE. The success of the pilot project prompted the CCRA to make
NETFILE a more permanent way of filing income tax returns, and for
the 2000 tax season about 22 million Canadians were invited to file
their returns with NETFILE (``About NETFILE'', 2001). The Canada Customs
and Revenue Agency recently boasted about the security of NETFILE:

``The U.S. doesn't use anything that's close to us... We haven't had
any incidents, and we don't really expect any incidents.''

(qtd. in ``Security of Canada's NETFILE envy of world'', 2001)

NETFILE is an excellent example of the Government of Canada successfully
moving towards electronic government.

The Canadian government has a continued vested interest in the growth
of Canadian online commerce, and in order to encourage the online
economy and protect consumer privacy, has made cryptography laws
relatively lax, and the government intends to keep it that way
(``Cryptography Policy Backgrounder'', 2000). Law enforcement agencies see
the ability of the private citizen and the online business to encrypt
communications beyond their ability to decrypt them as a major threat.
Law enforcement agencies argue that the ability for anyone to send
encrypted information will hinder investigations, and will harm the
agencies ability to effectively combat threats such as domestic and
international terrorism (Levy, 2001).

Dr Ross Anderson (qtd. in Caelli 5), referring
to the push to restrict the availability and use of cryptography says that

...the national signals intelligence agencies are being massively
incompetent. Why? Because they should have kept quiet, kept their
heads down and done nothing.

Until recently, the American Government, at the urging of the NSA had
been attempting to enact draconian schemes to control cryptography.
In contrast, Canada has continued a relaxed policy, allowing its
citizens free and unrestricted use of any kind of cryptography. The
now defunct Clipper Chip is an example of the NSA's attempts to
control the technology that it felt it had a monopoly on. The Clipper
Chip was supposed to help bring strong encryption to the masses while
still allowing the American Government the ability to decrypt those
communications.

The United States government has lifted its long held
restriction on the export of the munition cryptography (``Encryption
FAQ'', 2000), and is starting to realize that the rest of the world has
at least caught up with the United States in the cryptographic field
(Levy, 2001). An exceptional example of international cryptography is
the US government's new Advanced Encryption Standard (AES), which is
an algorithm named Rijndael, developed by Dr. Joan Daemen and Dr.
Vincent Rijmen of Belgium (``AES Fact Sheet'', 2001).

Canada's Department of National Defense (DND) is probably one of the
biggest users of cryptographic technology in Canada. Cryptographic
technologies in the DND are primarily controlled by the Information
Management group (IM Gp) of the DND. This group ``provides direction, military
operations support, products and services, to manage information as an
essential component of the departmental mission and objectives'' (``IM
Gp'', 2001). Within the Information management group, there
exists the Information Operations group, which intern has three
centers of excellence: the CF Signals Intelligence (SIGINT) Centre,
the CF Electronic Warfare Centre (CFEWC) and the CF Information
Protection Centre (CFIPC).

The CF SIGINT Center (obviously involved with signals intelligence)
was established to be the domain of the Communications Security
Establishment by the Library of Parliament Background Paper BP-343E.
The ``control and supervision'' of the CSE was transfered by an order
in council under the Public Service Rearrangement and transfer of
Duties Act from the NRC to the DND on April 1st, 1975, so it's quite
possible that the CSE has since been caught up in internal DND
reorganization. A possible scenario would see the CSE retaining only
its information security role, while the SIGINT operations were
transfered to the CFIPC. This is based on a quote from the Information
Operations website (emphasis added):

On the 1st of April 1998, the Canadian Forces Information Operations
Group (CFIOG) was established by the Assistant Deputy Minister
(Information Management) (ADM (IM)). The new group was created from
a consolidation of Headquarters elements and the
Supplementary Radio Systems. It is intended to provide a
focal point for Information Operations within IM Gp.

As well, the CSE's website doesn't have any information at all about
the it's Signals Intelligence role, although that could simply be due
to the highly sensitive and top secret nature of the work. There is no
detail about the CF SIGINT Centre on the Information Operations
website either.

Also, SIGINT is a very specialized field, and I just can't see the DND
having two separate agencies doing the same expensive and labour
intensive work. However, concrete information is difficult to obtain,
due to the secretive nature of the business, so it is possible that
the CSE still operates as a SIGINT unit in parallel with the Canadian
Forces SIGINT unit.

DND communications is heavily dependent on commercial products.
Approximately 95% (``Information Operations'', 2000) of the defense
communications infrastructure is based on commercial systems. A
vulnerability in a commercial system is a vulnerability in Canada's
national defense. As the Government of Canada's Public Key
Infrastructure system is also largely based on commercial technology,
Canada as a whole needs stability and growth in the information
security sector.

Government Policy

For the Canadian government, cryptography policy has three main goals.
The first is to encourage the growth of electronic commerce, the
second is to allow Canadians to export their products within the
frameworks formed by international arrangements, and the third is to
make sure law enforcement can maintain public safety (``Cryptography
policy backgrounder'', 2000).

Use of cryptography

The Canadian policy is to allow its citizens the ability to ``develop,
import and use whatever cryptography products they wish''
(``Cryptography policy backgrounder'', 2000). While the government will
not require mandatory key escrow, it does encourage industry to
consider making key recovery possible. Not requiring key escrow is
made explicit by the Canada Customs and Revenue Agency in its digital
signature policy:

6.2.4 Private key back-up
An Entity may optionally back-up its own
Digital Signature private key. If so, the keys must be copied and
stored in encrypted form and protected at a level no lower than
stipulated for the primary version of the key.

(``Digital Signature Medium Assurance Certificate Policy'', 2000)

The CCRA also has a policy for encryption keys:

6.2.3 Private key escrow
No stipulation.

6.2.4 Private key back-up
The Issuing CA may back-up private keys. The
Entity may also make a back-up of the key. Backed-up keys must be
stored in encrypted form and protected at a level no lower than
stipulated for the primary version of the key.

(``Confidentiality Medium Assurance Certificate Policy'', 2000)

Interestingly, the digital signature policy document makes it very
explicit that keys are not to be escrowed, but may be backed up by the
key owner (referred to as the Entity), while the confidentiality
document makes no strong statement on key escrow, but allows both the
Certificate Authority (CA) and the Entity to make backups of the
keys. Private key backup by a Certificate Authority is eerily close to
key escrow.

As part of its cryptography policy in electronic commerce, the
Government of Canada intends to be a model user of cryptographic
systems. The Government's success with its PKI and NETFILE programs
shows how it is actively accomplishing this objective. With the support
of the Government, the rest of the Canadian economy will be able to
make the transition into electronic commerce a smooth one.

Canada is bound by the Wassenaar Arrangement, which is an
international agreement designed to control the export of
``conventional arms and dual-use goods and technologies'' (``Wassenaar
Website'', 2001). Cryptography falls in the dual-use category, where
dual-use means that it can be used for both military and civil
purposes. Since a meeting in Vienna in December of 1998, the Wassenaar
Arrangement has allowed the free export of products using symmetrical
cryptography of up to 56 bits, asymmetric cryptography products or up
to 512 bits, and other cryptography products such as elliptical curve,
up to 112 bits. Also permitted is the export of goods to perform
authentication, digital signature, and access control, goods
implemented using analog technology, and goods for the purpose of
financial transactions (``Serial 113 - Cryptographic Goods'', 1998).

Public safety

The promise of cryptography in the electronic economy and in the
protection of personal information also brings with it the ability to
conceal evidence and hide communications in the commission of a crime.
To answer possible threats to public safety, the Government of
Canada's cryptography policy lays down four basic rules regarding the
use of cryptography.

The first of these is that it is illegal to wrongfully disclose
cryptographic keys. An example of where this rule would come into
effect is national security; consider a CSIS agent, call him Bob, who
gives his or her private key to someone, call her Eve, who doesn't
have the same security clearance as Bob. If some one else, Alice, were
to send Bob a classified document, and Eve intercepted that document,
then Bob has put national security at risk.

Consider a private sector example of wrongful key disclosure. Alice is
an executive of an engineering company which is just about to wrap up
a large project. Alice is going on vacation, so she gives her secretary, Eve,
her private key so that Eve can respond to anything requiring
immediate attention. While Alice is away, the project completes, and
the client is so please with the work that they award another
contract, worth a large sum of money. Bob, another executive, sends
Alice a message telling her that when this new deal is announced, the
stock price is going to go through the roof. Eve reads this message,
which contains information she wouldn't normally have access too, and
buys a lot of stock, and subsequently makes a lot of money, quits her
job, and moves to Bermuda. The Securities Exchange Commission smells
something fishy, and charges Eve with insider trading, but Alice is
also responsible because she wrongfully disclosed her private key.

The wording of these last three policy items seems rather
vague, probably because nobody is really sure how to implement these
policies. How exactly the Government will be able to deter the use of
cryptography to conceal evidence and still remain true to the stated
policy of allowing Canadians free access to any strength of encryption
is unknown.

Private sector

Canada has a growing information security industrial sector. By
browsing corporate websites, it is clear that a number of companies
working in cryptography, mostly by providing products to protect
information. Some companies are producing public key infrastructure
products and services to help other business' build a secure
communications infrastructure. Both hardware and software products
implementing various cryptographic technologies are being produced by
Canadian firms.

The most notable company, mostly because of its close relationship
with the Government of Canada, is Entrust Technologies. Entrust began
as the secure networks arm of Nortel Networks in 1994. Entrust
Technologies Inc. was incorporated on December 16th 1996 in Maryland,
and Entrust Technologies Limited, was incorporated as the Canadian
subsidurary in Ontario on December 20th, 1996. In 1998, Entrust had
its first initial public offering, and has since been listed on the
Nasdaq exchange under the ticker symbol ``ENTU'' (Entrust, 2001).

Entrust is the firm that the Government of Canada is using to help
create its public key infrastructure. Entrust provided PKI products to
the government in 1995, and was awarded a development contract to
extend those products to include features needed in enterprise (large
scale) situations (``GoC PKI'', 2001).

Cryptography research

In Canada, cryptography is currently being researched at the
University of Calgary and at the University of Waterloo in Ontario,
and probably at many other institutions. Cryptography is a relatively
easy field to start doing research in, since it requires only careful
thought and an examination of what has come before. Contrast this with
experimental physics, which requires millions of dollars in investment
for new instruments. Cryptographic research may be practiced by any
number of students and professors, but only a few have funding
to do cryptography research as their full time jobs.

The research being conducted at the University of Calgary is mostly
being done by Dr. Richard A. Mollin, a professor in the department of
Mathematics and Statistics. Dr. Mollin has published several books,
including one entitled ``Algebraic number theory'', which discusses
the application of number theory to cryptography in the last section
of each chapter. He has also published a complete introductory
cryptography text called ``An introduction to cryptography'', which
discusses in detail the workings of many crypto-systems and the history
behind them. Dr Mollin's research interests lie in the fields of the
theory of continued fractions, reduced ideals and prime-producing
quadratic polynomials. Some of this research is then applied to
cryptography (Mollin, 2001).

The research at Waterloo is a great example of a triple helix. The
Center for Applied Cryptographic Research (CACR) is a joint project between
the Government of Canada, the University of Waterloo, and a number of
corporations. The CACR has a number of items in its missions
statement. In particular, the CACR aims ``to be an internationally
recognized center for research in applied cryptography and related
areas of information security'' (CACR, 1998). The
CACR also facilitates industrial participation, blends various
disciplines, helps to train masters and Phd students, hosts
international researchers, and gives industry access to University
expertise (CACR, 1998).

Quantum computers have the potential to easily solve problems that
would take literally thousands of years on todays ``classical''
computers. This makes it is a very important field of
research.

Conclusion

Questions surrounding the use of cryptography

Some issues remain to be answered in the use of cryptography in
Canada, particularly in the promotion of electronic commerce and in
the protection of public safety.

Is it realistic to expect export laws to prevent the spread of
strong cryptographic algorithms and implementations to those deemed
ineligible to receive them?

Can the use of cryptographic technology to conceal evidence be
controlled in a way that doesn't violate the freedom of Canadians to
use cryptography as layed out in the Government of Canada's
cryptography policy?

What can the Government do to promote electronic commerce to
Canadians?

What can the Government do to increase consumer confidence in
electronic commerce?

To really encourage the growth of electronic commerce and ensure the
safety of Canadians, the Government of Canada must make and effort to
address question like the ones posed here.

Source search successes

Of particular use was the book Spy Wars by Granatstein and
Stafford. Spy Wars gives the uniquely Canadian perspective on the
international intelligence community which is so often missing from
other books. Most of the material on the Communications Security
Establishment, an agency so secret that the Canadian public in general
learned of its existence only after it had already been operating for
33 years, came from this book. The book was a joy to read, and is
highly recommended to anyone interested in the intelligence industry;
Canadian intelligence in particular.

Another very useful source was Steven Levy's book Crypto which
provided much of the conceptual information on how public key
cryptography and digital signatures work.

The internet was used a great deal to find much of the information
contained in this report. The Government of Canada has a large buffet
of web sites containing all kinds of information, much of it well
written and pleasantly presented. Much of the information on the
various web sites that were used correlate well, providing a degree
of assurance that the information was correct. The web was a valuable
tool for find the most up to date information; some sites had been
updated only a day or two before I visited them.

Further work

Much more work could be done to quantify the current state of
cryptographic research in Canada. The two examples I used, The Center
for Applied Cryptographic Research at Waterloo and the independent
Mollin at Calgary probably only scratch the surface of the research
being conducted. Cryptography is a field which has relatively low
entry barriers for a mathematician; mostly a lot of reading on the
current state of the field. I would not be surprised to find
cryptographers, either amateur or actively researching, working in math
departments across the country and around the world.

By using the Access to Information Act (``Information Commissioner'',
2000), it should be possible to retrieve a much greater range of
information about the early work of the Examination Unit. In fact,
this is how Granatstein and Stafford got most of their information.
The names of the ciphers that were broken, how that was done, what
ciphers the Examination Unit produced for the Government, and so on,
would make for an interesting paper all on its own. It may also be
possible through Access to Information Act requests to get a clear
picture of how SIGINT is currently handled in Canada; whether or not
the Communications Security Establishment has actually turned its
SIGINT responsibilities over to the Canadian Forces SIGINT group could
possibly be resolved.

There are many government project now in place which use cryptography
in some form. Continued investigation into government cryptography
use could lead to interesting information. The depth of the Canadian
cryptography industry also needs much greater exploration; there is
more to it than Entrust Technologies.

Closing

From the early success of the Examination Unit in World War II, to the
recent popularity of NETFILE, Canada's involvement in cryptography has
been growing. Canada's military and government organizations have been
benefiting from the use of cryptographic technology for some time, and
now the private sector is beginning to see benefits as well. The
Government of Canada wants to see Canada's marketplace grow, and
recognizes the ability to communicate securely as a very important
step. Canada's forward looking policies and programs bring it closer
to more efficient government, and an expanding economic outlook.

Overall, cryptography is becoming more and more ubiquitous in Canada,
mostly without the general public knowing about it. However, for
electronic commerce to really grow in Canada, the general public must
be made aware of the cryptography being used to protect online
transactions, and must be able to trust cryptographic systems and
technologies. Consumer confidence is of utmost importance to Canada's
electronic marketplace, but so is ease of use. Cryptographic
technology has slowly advanced to the point where the use of
cryptography is transparent and painless to the end user, which makes
one less hassle on the road to safe and secure electronic commerce.